by Swapnil Bhartiya

CII’s Best Practices badge program is making open source projects more secure

May 03, 2016
LinuxOpen SourceSecurity

Curl, GitLab, the Linux kernel, OpenBlox, OpenSSL, Node.js and Zephyr have received badges

The Core Infrastructure Initiative (CII), a Linux Foundation collaborative project, has announced the first round of CII Best Practices  badges. The recipients include Curl, GitLab, the Linux kernel, OpenBlox, OpenSSL, Node.js and Zephyr.

CII is a result of collaboration between many industry players including Microsoft, Bloomberg, Facebook, and Qualcomm, among others. The primary goal of the project is to determine security, quality and stability of open source software.

While open source projects boast of being more secure compared to proprietary solutions, the fact is not every project has resources or mechanism to ensure security. In many cases there are not enough eyeballs to render all bugs shallow.

CII enables technology companies, industry stakeholders and esteemed developers to collaboratively identify, fund and improve the security of critical open source projects.

And it’s already working. “The latest round of badges includes an assessment of OpenSSL, the open source software responsible for most encryption on the Internet, both before the Heartbleed vulnerability and after it received support from CII. Prior to Heartbleed, OpenSSl failed to meet more than one-third of the CII Best Practices Badge criteria. Today it meets 100 percent. This helps demonstrate how far OpenSSL has come with the support of the industry and how the CII Best Practices Badges can signal failing or passing scores,” CII said in a statement.

The project is spearheaded by David A. Wheeler, an open source and security research expert who works for the Institute for Defense Analyses (IDA) and is also coordinating the CII’s Census Project, and Dan Kohn, a senior adviser on the CII. Wheeler and Kohn are working with open source developers to make the certification process seamless and automated and welcome input and pull requests.